1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org> 4 * (C) 2011 Intra2net AG <https://www.intra2net.com> 5 */ 6 #include <linux/init.h> 7 #include <linux/module.h> 8 #include <linux/kernel.h> 9 #include <linux/skbuff.h> 10 #include <linux/atomic.h> 11 #include <linux/refcount.h> 12 #include <linux/netlink.h> 13 #include <linux/rculist.h> 14 #include <linux/slab.h> 15 #include <linux/types.h> 16 #include <linux/errno.h> 17 #include <net/netlink.h> 18 #include <net/sock.h> 19 #include <net/netns/generic.h> 20 21 #include <linux/netfilter.h> 22 #include <linux/netfilter/nfnetlink.h> 23 #include <linux/netfilter/nfnetlink_acct.h> 24 25 MODULE_LICENSE("GPL"); 26 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 27 MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure"); 28 29 struct nf_acct { 30 atomic64_t pkts; 31 atomic64_t bytes; 32 unsigned long flags; 33 struct list_head head; 34 refcount_t refcnt; 35 char name[NFACCT_NAME_MAX]; 36 struct rcu_head rcu_head; 37 char data[]; 38 }; 39 40 struct nfacct_filter { 41 u32 value; 42 u32 mask; 43 }; 44 45 struct nfnl_acct_net { 46 struct list_head nfnl_acct_list; 47 }; 48 49 static unsigned int nfnl_acct_net_id __read_mostly; 50 51 static inline struct nfnl_acct_net *nfnl_acct_pernet(struct net *net) 52 { 53 return net_generic(net, nfnl_acct_net_id); 54 } 55 56 #define NFACCT_F_QUOTA (NFACCT_F_QUOTA_PKTS | NFACCT_F_QUOTA_BYTES) 57 #define NFACCT_OVERQUOTA_BIT 2 /* NFACCT_F_OVERQUOTA */ 58 59 static int nfnl_acct_new(struct net *net, struct sock *nfnl, 60 struct sk_buff *skb, const struct nlmsghdr *nlh, 61 const struct nlattr * const tb[], 62 struct netlink_ext_ack *extack) 63 { 64 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 65 struct nf_acct *nfacct, *matching = NULL; 66 char *acct_name; 67 unsigned int size = 0; 68 u32 flags = 0; 69 70 if (!tb[NFACCT_NAME]) 71 return -EINVAL; 72 73 acct_name = nla_data(tb[NFACCT_NAME]); 74 if (strlen(acct_name) == 0) 75 return -EINVAL; 76 77 list_for_each_entry(nfacct, &nfnl_acct_net->nfnl_acct_list, head) { 78 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0) 79 continue; 80 81 if (nlh->nlmsg_flags & NLM_F_EXCL) 82 return -EEXIST; 83 84 matching = nfacct; 85 break; 86 } 87 88 if (matching) { 89 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 90 /* reset counters if you request a replacement. */ 91 atomic64_set(&matching->pkts, 0); 92 atomic64_set(&matching->bytes, 0); 93 smp_mb__before_atomic(); 94 /* reset overquota flag if quota is enabled. */ 95 if ((matching->flags & NFACCT_F_QUOTA)) 96 clear_bit(NFACCT_OVERQUOTA_BIT, 97 &matching->flags); 98 return 0; 99 } 100 return -EBUSY; 101 } 102 103 if (tb[NFACCT_FLAGS]) { 104 flags = ntohl(nla_get_be32(tb[NFACCT_FLAGS])); 105 if (flags & ~NFACCT_F_QUOTA) 106 return -EOPNOTSUPP; 107 if ((flags & NFACCT_F_QUOTA) == NFACCT_F_QUOTA) 108 return -EINVAL; 109 if (flags & NFACCT_F_OVERQUOTA) 110 return -EINVAL; 111 if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA]) 112 return -EINVAL; 113 114 size += sizeof(u64); 115 } 116 117 nfacct = kzalloc(sizeof(struct nf_acct) + size, GFP_KERNEL); 118 if (nfacct == NULL) 119 return -ENOMEM; 120 121 if (flags & NFACCT_F_QUOTA) { 122 u64 *quota = (u64 *)nfacct->data; 123 124 *quota = be64_to_cpu(nla_get_be64(tb[NFACCT_QUOTA])); 125 nfacct->flags = flags; 126 } 127 128 nla_strscpy(nfacct->name, tb[NFACCT_NAME], NFACCT_NAME_MAX); 129 130 if (tb[NFACCT_BYTES]) { 131 atomic64_set(&nfacct->bytes, 132 be64_to_cpu(nla_get_be64(tb[NFACCT_BYTES]))); 133 } 134 if (tb[NFACCT_PKTS]) { 135 atomic64_set(&nfacct->pkts, 136 be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS]))); 137 } 138 refcount_set(&nfacct->refcnt, 1); 139 list_add_tail_rcu(&nfacct->head, &nfnl_acct_net->nfnl_acct_list); 140 return 0; 141 } 142 143 static int 144 nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 145 int event, struct nf_acct *acct) 146 { 147 struct nlmsghdr *nlh; 148 struct nfgenmsg *nfmsg; 149 unsigned int flags = portid ? NLM_F_MULTI : 0; 150 u64 pkts, bytes; 151 u32 old_flags; 152 153 event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event); 154 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 155 if (nlh == NULL) 156 goto nlmsg_failure; 157 158 nfmsg = nlmsg_data(nlh); 159 nfmsg->nfgen_family = AF_UNSPEC; 160 nfmsg->version = NFNETLINK_V0; 161 nfmsg->res_id = 0; 162 163 if (nla_put_string(skb, NFACCT_NAME, acct->name)) 164 goto nla_put_failure; 165 166 old_flags = acct->flags; 167 if (type == NFNL_MSG_ACCT_GET_CTRZERO) { 168 pkts = atomic64_xchg(&acct->pkts, 0); 169 bytes = atomic64_xchg(&acct->bytes, 0); 170 smp_mb__before_atomic(); 171 if (acct->flags & NFACCT_F_QUOTA) 172 clear_bit(NFACCT_OVERQUOTA_BIT, &acct->flags); 173 } else { 174 pkts = atomic64_read(&acct->pkts); 175 bytes = atomic64_read(&acct->bytes); 176 } 177 if (nla_put_be64(skb, NFACCT_PKTS, cpu_to_be64(pkts), 178 NFACCT_PAD) || 179 nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes), 180 NFACCT_PAD) || 181 nla_put_be32(skb, NFACCT_USE, htonl(refcount_read(&acct->refcnt)))) 182 goto nla_put_failure; 183 if (acct->flags & NFACCT_F_QUOTA) { 184 u64 *quota = (u64 *)acct->data; 185 186 if (nla_put_be32(skb, NFACCT_FLAGS, htonl(old_flags)) || 187 nla_put_be64(skb, NFACCT_QUOTA, cpu_to_be64(*quota), 188 NFACCT_PAD)) 189 goto nla_put_failure; 190 } 191 nlmsg_end(skb, nlh); 192 return skb->len; 193 194 nlmsg_failure: 195 nla_put_failure: 196 nlmsg_cancel(skb, nlh); 197 return -1; 198 } 199 200 static int 201 nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb) 202 { 203 struct net *net = sock_net(skb->sk); 204 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 205 struct nf_acct *cur, *last; 206 const struct nfacct_filter *filter = cb->data; 207 208 if (cb->args[2]) 209 return 0; 210 211 last = (struct nf_acct *)cb->args[1]; 212 if (cb->args[1]) 213 cb->args[1] = 0; 214 215 rcu_read_lock(); 216 list_for_each_entry_rcu(cur, &nfnl_acct_net->nfnl_acct_list, head) { 217 if (last) { 218 if (cur != last) 219 continue; 220 221 last = NULL; 222 } 223 224 if (filter && (cur->flags & filter->mask) != filter->value) 225 continue; 226 227 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid, 228 cb->nlh->nlmsg_seq, 229 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 230 NFNL_MSG_ACCT_NEW, cur) < 0) { 231 cb->args[1] = (unsigned long)cur; 232 break; 233 } 234 } 235 if (!cb->args[1]) 236 cb->args[2] = 1; 237 rcu_read_unlock(); 238 return skb->len; 239 } 240 241 static int nfnl_acct_done(struct netlink_callback *cb) 242 { 243 kfree(cb->data); 244 return 0; 245 } 246 247 static const struct nla_policy filter_policy[NFACCT_FILTER_MAX + 1] = { 248 [NFACCT_FILTER_MASK] = { .type = NLA_U32 }, 249 [NFACCT_FILTER_VALUE] = { .type = NLA_U32 }, 250 }; 251 252 static int nfnl_acct_start(struct netlink_callback *cb) 253 { 254 const struct nlattr *const attr = cb->data; 255 struct nlattr *tb[NFACCT_FILTER_MAX + 1]; 256 struct nfacct_filter *filter; 257 int err; 258 259 if (!attr) 260 return 0; 261 262 err = nla_parse_nested_deprecated(tb, NFACCT_FILTER_MAX, attr, 263 filter_policy, NULL); 264 if (err < 0) 265 return err; 266 267 if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE]) 268 return -EINVAL; 269 270 filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL); 271 if (!filter) 272 return -ENOMEM; 273 274 filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK])); 275 filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE])); 276 cb->data = filter; 277 278 return 0; 279 } 280 281 static int nfnl_acct_get(struct net *net, struct sock *nfnl, 282 struct sk_buff *skb, const struct nlmsghdr *nlh, 283 const struct nlattr * const tb[], 284 struct netlink_ext_ack *extack) 285 { 286 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 287 int ret = -ENOENT; 288 struct nf_acct *cur; 289 char *acct_name; 290 291 if (nlh->nlmsg_flags & NLM_F_DUMP) { 292 struct netlink_dump_control c = { 293 .dump = nfnl_acct_dump, 294 .start = nfnl_acct_start, 295 .done = nfnl_acct_done, 296 .data = (void *)tb[NFACCT_FILTER], 297 }; 298 299 return netlink_dump_start(nfnl, skb, nlh, &c); 300 } 301 302 if (!tb[NFACCT_NAME]) 303 return -EINVAL; 304 acct_name = nla_data(tb[NFACCT_NAME]); 305 306 list_for_each_entry(cur, &nfnl_acct_net->nfnl_acct_list, head) { 307 struct sk_buff *skb2; 308 309 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) 310 continue; 311 312 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 313 if (skb2 == NULL) { 314 ret = -ENOMEM; 315 break; 316 } 317 318 ret = nfnl_acct_fill_info(skb2, NETLINK_CB(skb).portid, 319 nlh->nlmsg_seq, 320 NFNL_MSG_TYPE(nlh->nlmsg_type), 321 NFNL_MSG_ACCT_NEW, cur); 322 if (ret <= 0) { 323 kfree_skb(skb2); 324 break; 325 } 326 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid, 327 MSG_DONTWAIT); 328 if (ret > 0) 329 ret = 0; 330 331 /* this avoids a loop in nfnetlink. */ 332 return ret == -EAGAIN ? -ENOBUFS : ret; 333 } 334 return ret; 335 } 336 337 /* try to delete object, fail if it is still in use. */ 338 static int nfnl_acct_try_del(struct nf_acct *cur) 339 { 340 int ret = 0; 341 342 /* We want to avoid races with nfnl_acct_put. So only when the current 343 * refcnt is 1, we decrease it to 0. 344 */ 345 if (refcount_dec_if_one(&cur->refcnt)) { 346 /* We are protected by nfnl mutex. */ 347 list_del_rcu(&cur->head); 348 kfree_rcu(cur, rcu_head); 349 } else { 350 ret = -EBUSY; 351 } 352 return ret; 353 } 354 355 static int nfnl_acct_del(struct net *net, struct sock *nfnl, 356 struct sk_buff *skb, const struct nlmsghdr *nlh, 357 const struct nlattr * const tb[], 358 struct netlink_ext_ack *extack) 359 { 360 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 361 struct nf_acct *cur, *tmp; 362 int ret = -ENOENT; 363 char *acct_name; 364 365 if (!tb[NFACCT_NAME]) { 366 list_for_each_entry_safe(cur, tmp, &nfnl_acct_net->nfnl_acct_list, head) 367 nfnl_acct_try_del(cur); 368 369 return 0; 370 } 371 acct_name = nla_data(tb[NFACCT_NAME]); 372 373 list_for_each_entry(cur, &nfnl_acct_net->nfnl_acct_list, head) { 374 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0) 375 continue; 376 377 ret = nfnl_acct_try_del(cur); 378 if (ret < 0) 379 return ret; 380 381 break; 382 } 383 return ret; 384 } 385 386 static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = { 387 [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 }, 388 [NFACCT_BYTES] = { .type = NLA_U64 }, 389 [NFACCT_PKTS] = { .type = NLA_U64 }, 390 [NFACCT_FLAGS] = { .type = NLA_U32 }, 391 [NFACCT_QUOTA] = { .type = NLA_U64 }, 392 [NFACCT_FILTER] = {.type = NLA_NESTED }, 393 }; 394 395 static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = { 396 [NFNL_MSG_ACCT_NEW] = { .call = nfnl_acct_new, 397 .attr_count = NFACCT_MAX, 398 .policy = nfnl_acct_policy }, 399 [NFNL_MSG_ACCT_GET] = { .call = nfnl_acct_get, 400 .attr_count = NFACCT_MAX, 401 .policy = nfnl_acct_policy }, 402 [NFNL_MSG_ACCT_GET_CTRZERO] = { .call = nfnl_acct_get, 403 .attr_count = NFACCT_MAX, 404 .policy = nfnl_acct_policy }, 405 [NFNL_MSG_ACCT_DEL] = { .call = nfnl_acct_del, 406 .attr_count = NFACCT_MAX, 407 .policy = nfnl_acct_policy }, 408 }; 409 410 static const struct nfnetlink_subsystem nfnl_acct_subsys = { 411 .name = "acct", 412 .subsys_id = NFNL_SUBSYS_ACCT, 413 .cb_count = NFNL_MSG_ACCT_MAX, 414 .cb = nfnl_acct_cb, 415 }; 416 417 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT); 418 419 struct nf_acct *nfnl_acct_find_get(struct net *net, const char *acct_name) 420 { 421 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 422 struct nf_acct *cur, *acct = NULL; 423 424 rcu_read_lock(); 425 list_for_each_entry_rcu(cur, &nfnl_acct_net->nfnl_acct_list, head) { 426 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) 427 continue; 428 429 if (!try_module_get(THIS_MODULE)) 430 goto err; 431 432 if (!refcount_inc_not_zero(&cur->refcnt)) { 433 module_put(THIS_MODULE); 434 goto err; 435 } 436 437 acct = cur; 438 break; 439 } 440 err: 441 rcu_read_unlock(); 442 return acct; 443 } 444 EXPORT_SYMBOL_GPL(nfnl_acct_find_get); 445 446 void nfnl_acct_put(struct nf_acct *acct) 447 { 448 if (refcount_dec_and_test(&acct->refcnt)) 449 kfree_rcu(acct, rcu_head); 450 451 module_put(THIS_MODULE); 452 } 453 EXPORT_SYMBOL_GPL(nfnl_acct_put); 454 455 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct) 456 { 457 atomic64_inc(&nfacct->pkts); 458 atomic64_add(skb->len, &nfacct->bytes); 459 } 460 EXPORT_SYMBOL_GPL(nfnl_acct_update); 461 462 static void nfnl_overquota_report(struct net *net, struct nf_acct *nfacct) 463 { 464 int ret; 465 struct sk_buff *skb; 466 467 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 468 if (skb == NULL) 469 return; 470 471 ret = nfnl_acct_fill_info(skb, 0, 0, NFNL_MSG_ACCT_OVERQUOTA, 0, 472 nfacct); 473 if (ret <= 0) { 474 kfree_skb(skb); 475 return; 476 } 477 netlink_broadcast(net->nfnl, skb, 0, NFNLGRP_ACCT_QUOTA, 478 GFP_ATOMIC); 479 } 480 481 int nfnl_acct_overquota(struct net *net, struct nf_acct *nfacct) 482 { 483 u64 now; 484 u64 *quota; 485 int ret = NFACCT_UNDERQUOTA; 486 487 /* no place here if we don't have a quota */ 488 if (!(nfacct->flags & NFACCT_F_QUOTA)) 489 return NFACCT_NO_QUOTA; 490 491 quota = (u64 *)nfacct->data; 492 now = (nfacct->flags & NFACCT_F_QUOTA_PKTS) ? 493 atomic64_read(&nfacct->pkts) : atomic64_read(&nfacct->bytes); 494 495 ret = now > *quota; 496 497 if (now >= *quota && 498 !test_and_set_bit(NFACCT_OVERQUOTA_BIT, &nfacct->flags)) { 499 nfnl_overquota_report(net, nfacct); 500 } 501 502 return ret; 503 } 504 EXPORT_SYMBOL_GPL(nfnl_acct_overquota); 505 506 static int __net_init nfnl_acct_net_init(struct net *net) 507 { 508 INIT_LIST_HEAD(&nfnl_acct_pernet(net)->nfnl_acct_list); 509 510 return 0; 511 } 512 513 static void __net_exit nfnl_acct_net_exit(struct net *net) 514 { 515 struct nfnl_acct_net *nfnl_acct_net = nfnl_acct_pernet(net); 516 struct nf_acct *cur, *tmp; 517 518 list_for_each_entry_safe(cur, tmp, &nfnl_acct_net->nfnl_acct_list, head) { 519 list_del_rcu(&cur->head); 520 521 if (refcount_dec_and_test(&cur->refcnt)) 522 kfree_rcu(cur, rcu_head); 523 } 524 } 525 526 static struct pernet_operations nfnl_acct_ops = { 527 .init = nfnl_acct_net_init, 528 .exit = nfnl_acct_net_exit, 529 .id = &nfnl_acct_net_id, 530 .size = sizeof(struct nfnl_acct_net), 531 }; 532 533 static int __init nfnl_acct_init(void) 534 { 535 int ret; 536 537 ret = register_pernet_subsys(&nfnl_acct_ops); 538 if (ret < 0) { 539 pr_err("nfnl_acct_init: failed to register pernet ops\n"); 540 goto err_out; 541 } 542 543 ret = nfnetlink_subsys_register(&nfnl_acct_subsys); 544 if (ret < 0) { 545 pr_err("nfnl_acct_init: cannot register with nfnetlink.\n"); 546 goto cleanup_pernet; 547 } 548 return 0; 549 550 cleanup_pernet: 551 unregister_pernet_subsys(&nfnl_acct_ops); 552 err_out: 553 return ret; 554 } 555 556 static void __exit nfnl_acct_exit(void) 557 { 558 nfnetlink_subsys_unregister(&nfnl_acct_subsys); 559 unregister_pernet_subsys(&nfnl_acct_ops); 560 } 561 562 module_init(nfnl_acct_init); 563 module_exit(nfnl_acct_exit); 564